Most firms have inadequate web app defences, study shows

Most firms have inadequate defences for web applications, a study has revealed.

Share this item with your network:

Most firms have inadequate defences for web applications, a study has revealed.

The reason is that defences tend to be geared around attack averages, said Amichai Shulman, chief technology officer at security firm Imperva.

But the latest Imperva Web Application Attack Report shows half of the attack incidents on 50 web applications monitored over a six-month period were greater than the average intensity.

"Half the sample attack incidents made up of multiple malicious requests to the web applications lasted more than the average of 7 minutes, 42 seconds, with some lasting up to 79 minutes" he told Computer Weekly.

If all that defences are designed to cope with is the average attack incident, he said, half of the time they will be overwhelmed by attack requests per second that are way above the average.

The research data shows that most of the time very little happens, but every once in a while there is an outbreak of attacks.

While the average sample web application was hit by attack incidents 33% of the time, some had to cope with attacks 80% of the time, the study shows.

For this reason, Shulman believes organisations should base their web application defences based on the worst-case scenario or at least the typical attack in reality rather than the statistical average.

Imperva's research showed that attack incident history could not be used to predict future attacks.

"We went through all our attack data trying to find some predictive model, but we are quite certain there is no predictability," said Shulman. "This means security teams need to be prepared to mitigate attacks without any advance notice."

The latest research and analysis shows that in addition to basing defences on extreme bursts of attacks, they should ensure that security procedures and controls are as automated as possible, he said, because the attack volume is typically too great to deal with manually.

"Organisations should also test their readiness to accommodate bursty threats by simulating them, which is probably the best way to find out if your defences are adequate," said Shulman.

The study also confirmed that SQL injection remains the most commonly used attack on web applications.

Other top attack methods include cross-site scripting (XSS), remote file inclusion (RFI) and local file inclusion (LFI), the report said.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.